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Abstract 

We review the notion of a classical random cipher and its advantages. We 
sharpen the usual description of random ciphers to a particular mathematical 
characterization suggested by the salient feature responsible for their increased 
security. We describe a concrete system known as arj and show that it is 
equivalent to a random cipher in which the required randomization is effected 
by coherent-state quantum noise. We describe the currently known security 
features of arj and similar systems, including lower bounds on the unicity dis- 
tances against ciphertext-only and known-plaintext attacks. We show how ar] 
used in conjunction with any standard stream cipher such as AES (Advanced 
Encryption Standard) provides an additional, qualitatively different layer of 
security from physical encryption against known-plaintext attacks on the key. 
We refute some claims in the literature that arj is equivalent to a non-random 
stream cipher. 

1 Introduction 

The possibility of achieving greater secrecy by introducing additional randomness 
into the plaintext of a cipher before encryption was known, according to pQ, already 
to Gauss, in the form of the so-called 'homophonic substitution'. Such a procedure is 
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an example of a random cipher 0Ej- The advantage of a random cipher not present 
in standard nonrandom ciphers is that it can provide information-theoretic security 
of the key against statistical attacks, and possibly known-plaintext attacks (See Ap- 
pendix A and also [2]). A somewhat detailed description of these possibilities is one 
of the goals of this paper. In spite of the potential advantages of random ciphers, a 
large obstacle in their deployment is the bandwidth expansion, or more accurately 
data rate reduction, that is needed to operate all previous random ciphers. Also, 
it is not currently possible to generate true random numbers at speeds high enough 
for random ciphers to operate at sufficiently high data rates (~ Mbps is the current 
upper limit for random number generation). The quantum noise in optical coherent- 
state signals may be utilized for this purpose, and quantum optical effects seem to be 
the only technologically feasible way to generate > Gbps true random numbers. A 
particular quantum noise-based random cipher, called ar], that also does not entail 
data rate reduction, has already been proposed and implemented E] at North- 
western University. In a previous preprint |2J, ar] was discussed concomitantly with 
that of the closely related key generation system called a^-KG. Since the features 
of at] direct encryption are subtle and complex enough, we take the approach in 
this paper of discussing just the arj encryption system in its own right, and analyze 
quantitatively its random cipher feature. Doing so will hopefully also avert many 
possible confusions with arj-Key Generation, such as those in E] • In particular, 
we will set up in detail the proper framework to understand and analyze the security 
issues involved. Note that the present paper can be understood independently of ref. 
|2], the relevant terminology and results from which are summarized in Section 2.1 
and Appendix A of this paper. 

Following our discussion of random ciphers in general and the arj cryptosystem, 
we show that ar] security is equivalent to that of a corresponding classical random 
cipher. We show how quantum noise allows some degree of randomization in arj with- 
out sacrificing data rate, and quantify the randomization by two different parameters 
corresponding to ciphertext-only and known-plaintext attacks. We also show how 
arj can be operated on top of a standard cipher like AES to provide additional, qual- 
itatively different, security based on quantum noise against known-plaintext attacks 
on the key. However, information-theoretically, ciphertext-only attack on the key 
is possible with the original arj. We will indicate what additional techniques can 
alleviate this problem, without going into any detailed analysis to be presented at 
a later time. Generally, only search-complexity based security will be quantitatively 
described in this paper. Finally, we rebut the claims in [HI IHj that arj security is 
equivalent to that of a standard stream cipher and that ar) is nonrandom. 

The plan of this paper is as follows: In Section 2, we provide the necessary 
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review of standard cryptography. In addition, we define the random cipher concept 
quantitatively and point out the available results on random cipher security. This 
sets the stage for our definitions in Section 3 that characterize a quantum cipher and 
a quantum random cipher, which are both ciphers in which the ciphertext is in the 
form of a quantum state. In Section 4, we describe the ar] system in detail, show 
its quantum random cipher characteristics, and highlight its advantages. In Section 
5, we respond to the criticisms on ar] made by Nishioka et al E| in a further 
elaboration of the quantitative random cipher character of ar). 

2 Standard Cryptography and Random Ciphers 

2.1 Standard Symmetric-Key Cryptography 

We review the basics of symmetric-key data encryption. Further details can be found 
in, e.g., [HE]. Throughout the paper, random variables will be denoted by upper-case 
letters such as K, X x etc. It is sometimes necessary to consider explicitly sequences of 
random variables {X\, X 2 , . . . , X n ). We will denote such vector random variables by 
a boldface upper-case letter X n and, whenever necessary, indicate the length of the 
vector (n in this case) as a subscript. Confusion with the n-th component X n of X n 
should not arise as the latter is a boldface vector. Particular values taken by these 
random variables will be denoted by similar lower-case alphabets. Thus, particular 
values taken by the key random variable K are denoted by k, k' etc. Similarly, a 
particular value of X ra can be denoted x n . The plaintext alphabet will be denoted 
X, the set of possible key values K, and the ciphertext alphabet y. Thus, for example, 
the sequences x ra e X n . In most nonrandom ciphers, X is simply the set {0, 1} and 

y = x. 

With the above notations, the n-symbol long plaintext (i.e., the message sequence 
that needs to be encrypted) is denoted by the random vector X n , the ciphertext (i.e., 
the output of the encryption mechanism) is denoted by Y n and the secret key used for 
encryption is denoted by K. In this paper, we will often call the legitimate sender of 
the message 'Alice', the legitimate receiver 'Bob', and the attacker (or eavesdropper) 
'Eve'. Note that although the secret key is typically a sequence of bits, we do not use 
vector notation for it since the bits constituting the key will not need to be singled 
out separately in our considerations in this paper. In standard cryptography, one 
usually deals with nonrandom ciphers. These are ciphers for which the ciphertext 
is a function of only the plaintext and key. In other words, there is an encyption 
function Ek(-) such that: 

y n = E k (x n ). (1) 
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There is a corresponding decryption function Dfc(-) such that: 

x„ = D k (y n ). (2) 

In such a case, the X, and Y^i = 1, . . . , n are usually taken to be from the same 
alphabet. 

In contrast, a random cipher makes use of an additional random variable R called 
the private randomizer pQ, generated by Alice while encrypting the plaintext and 
known only to her, if at all. Thus the ciphertext is determined as follows: 

y n = E k (x n ,r). (3) 

Because of the additional randomness in the ciphertext, it typically happens that 
the ciphertext alphabet y needs to be larger than the plaintext alphabet X (or else, 
Y is a longer sequence than X, as in homophonic substitution). It may even be a 
continuous infinite alphabet, e.g. an analog voltage value. However, we still require, 
as in pp, that Bob be able to decrypt with just the ciphertext and key (i.e., without 
knowing R), so that there exists a function D k {-) such that Eq.(j2J) holds. We note 
that random ciphers are called 'privately randomized ciphers' in Ref. pQ - we will 
however use the shorter term 'random cipher' (Note that 'random cipher' is used in 
a completely different sense by Shannon 8\). 

We note that the presence or absence of the private randomizer R may be in- 
dicated using the conditional Shannon entropy (We assume a basic familiarity with 
Shannon entropy and conditional entropy. See any information theory textbook, e.g., 
[H].). For nonrandom ciphers, we have from Eq.(pQ) that 

H(Y n \KX n ) = 0. (4) 

On the other hand, a random cipher satisfies 

H(Y n \KX n ) 0, (5) 

due to the randomness supplied by the private randomizer R. The decryption con- 
dition Eqs.(j2J) for both random and nonrandom ciphers has the entropic characteri- 
zation: 

H(X n \KY n ) = 0. (6) 

Note that this characterization of a random cipher is problematic when the cipher- 
text alphabet is continuous, as could be the case with ar], because then the Shannon 
entropy is not defined. It may be argued that the finite precision of measurement 
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forces the ciphertext alphabet to be discrete. Indeed, in Sec. 2.2, we define a parame- 
ter A that characterizes the "degree of randomness" of a random cipher. In any case, 
the definition makes sense, similar to Eq. (jHJ), only when the ciphertext alphabet is 
finite, or at most discrete. 

In the cryptography literature, the characterization of a general random cipher is 
limited to that given by Eqs. (JHJ) and ©. See, e.g., [TJ. In the next section, we will see 
that the purposes of cryptographic security suggest a sharper quantitative definition 
of a random cipher involving a pertinent security parameter T. This new definition, 
unlike (jSJ), will be meaningful irrespective of whether the ciphertext alphabet is 
discrete or continuous. Before we discuss the above new definition of random ciphers, 
we conclude this section with some important cryptographic terminology. 

By standard cryptography, we shall mean that Eve and Bob both observe the 
same ciphertext random variable, i.e., Y^ = Y^ = Y„. Thus, standard cryptogra- 
phy includes usual mathematical private-key (and also public-key) cryptography but 
excludes quantum cryptography and classical- noise cryptography [TOj- For a stan- 
dard cipher, random or nonrandom, one can readily prove from the above definitions 
the following result known as the Shannon limit PJ Ej : 

#(X n |Y n ) < H(K). (7) 

This result may be thought of as saying that no matter how long the plaintext 
sequence is, the attacker's uncertainty on it given the ciphertext cannot be greater 
than that of the key. This condition is of crucial importance in both direct encryption 
and key generation, as brought out in refs. jU EH UH 121]; but was missed in 
previous criticisms of ar\ 00 HI] • 

By information-theoretic security (or IT security) on the data, we mean that Eve 
cannot, even with unlimited computational power, pin down uniquely the plaintext 
from the ciphertext, i.e., 

#(X n |Y n ) ^ 0. (8) 

The level of such security may be quantified by if(X n |Y„). Shannon has defined 
perfect security 8\ to mean that the plaintext is statistically independent of the 
ciphertext, i.e., 

if(X n |Y n ) = H(X n ). (9) 

With the advent of quantum cryptography, the term 'unconditional security' has 
come to be used, unfortunately in many possible senses. By unconditional security, 
we shall mean near-perfect information-theoretic security against all attacks consis- 
tent with the known laws of quantum physics. 
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Incidentally, note that the Shannon limit Eq. (J2J) immediately shows that perfect 
security can be attained only if if(X n ) < H(K), so that, in general, the key needs 
to be as long as the plaintext. 

2.2 Random Ciphers — Quantitative Definition 

As mentioned in the previous section, the characterization of a general random cipher 
merely using Eq. Pj) or (J5jl is perhaps not well-motivated. The reason for studying 
random ciphers is in fact the belief that they enhance the security of the cipher 
against various attacks. By bringing into focus the intuitive mechanism by which a 
random cipher may provide greater security than a nonrandom counterpart against 
known-plaintext attacks, we will propose one possible quantitative characterization 
of a general random cipher (or more exactly, a general random stream cipher. See 
below.). For a description of known-plaintext and other attacks on ciphers, together 
with the known results on their security, we refer the reader to Appendix A. 

We now discuss the intuitive mechanism of security enhancement in a random ci- 
pher. To this end, a schematic depiction of encryption and decryption with a random 
cipher is given in Fig. 1. For a binary alphabet X = {0, 1}, let X n = {ai, . . . , a^} 
be the set of N = 2 n possible plaintext n-sequences. Let A; be a particular key value. 
One can view the key k as dividing the ciphertext space y n into N parts, denoted 
by the A k aj1 j G {1, . . . ,N}, in the figure. Encryption of plaintext aj proceeds by 
first determining the relevant region A^, and randomly selecting (this is the function 
of the private randomizer) as ciphertext some y G A%.. The decryption condition 
Eq.® is satisfied by virtue of the regions A^. being disjoint for a given k. Also 
shown in Fig. 1 is the situation where a different key value k' is used in the system. 
The associated partition of y n consists of the sets A' a . that are shown with shaded 
boundaries in Fig. 1. The important point here is that the respective partitions of 
the ciphertext space for the key values k and k! should be sufficiently 'intermixed'. 
More precisely, for any given plaintext aj , and any observed ciphertext y n , we require 
that there exist sufficiently many key values k (and hence a sufficiently large prob- 
ability of the set of possible keys corresponding to a given plaintext and observed 
ciphertext) for which y n G A k a .. In other words, a given plaintext-ciphertext pair can 
be connected by many possible keys. This is the intuitive basis why random ciphers 
offer better quantitative security (as measured either by Eve's information on the 
key or her complexity in finding it; see Sec. 4.2-4.4 for a discussion of arj security) 
than nonrandom ciphers against known-plaintext attacks. 

While the above arguments hold for any type or random cipher whatsoever, we 
will restrict our scope to the so-called stream ciphers. Most ciphers in current use 
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Figure 1: Schematic of a random cipher: The plaintexts a« are carried, under the 
key k, into the corresponding regions A\. of ciphertext space Y n . The subsets of Y n 
associated with a different key value k! are shown with curved boundaries. 



7 



(which are all nonrandom) , such as AES, are stream ciphers [Zj. In a nonrandom 
stream cipher, the key K is first expanded using a deterministic function into a 
much longer sequence (Z\, . . . , Z n ) called the keystream or running key. The defining 
property of a stream cipher is that the i-th ciphertext symbol yi be a function of just 
the i-th keystream symbol Z{ and the earlier and current plaintext symbols x\, . . . , xf. 

Hi = E\x 1 ,...,x i ;z i ). (10) 

It follows that decryption of the first i symbols of plaintext is possible from the first 
% symbols of ciphertext and the running key. A synchronous stream cipher is one for 
which 

y t = E\x, t ; Zl ). (11) 

Thus, the i-th ciphertext symbol depends only on the i-th plaintext symbol and the 
i-th keystream symbol, i.e., the cipher is memoryless. For our discussion of random 
ciphers, we will restrict ourselves for concreteness to the case of random stream 
ciphers, that are defined by: 

yi = E t (x 1 ,...,x i ;Zi;r i ). (12) 

Here, the {Ri} are randomizers that may be assumed to be independent random 
variables (this is the case in arj), but this is not necessary. In the rest of the paper, 
a random cipher will always mean a random stream cipher. 

For a nonrandom stream cipher given by Eq. (|30p. it is usually the case that 
given the plaintext vector Xj of length i and ciphertext symbol yi, the value of the 
keystream Zi is uniquely determined. This is typically the case also in a random 
stream cipher when the value r taken by the randomizer Ri is known. In the absence 
of such knowledge, however, the different possible values taken by Ri will in general 
allow many different values of the keystream for the given plaintext vector and ci- 
phertext symbol. The more such possibilities exist, the less information is obtained 
about the keystream and the more 'secure' the cipher is. Our quantitative defini- 
tion of random cipher given below introduces a parameter T that provides one way 
of quantifying the different knowledge of the keystream obtained in the above two 
scenarios by the number of additional possible keystreams for a given pair of input 
data and corresponding ciphertext symbols. 

Definition (r- Random Cipher) : 

A T-Random Cipher is a random stream cipher of the form of Eq. (7) for which the 
following condition holds: 
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For every plaintext sequence, Xj, for every i, for every ciphertext symbol yi obtainable 
by encryption of Xj, and for every value r of Ri, 

\{zi\yi = E l (xi, ...,Xi] Zi)r') for some r'}\ - \{zi\yi = E\x l , ...,Xi\ ^;r)}| > T. 

(13) 

The bars | • | indicate size of the enclosed set. For a nonrandom stream cipher, the 
keystream z^ is uniquely fixed by the plaintext vector Xj and the ciphertext symbol 
2/j. Therefore, if the randomizer in (|T3j) is ignored so that it applies to a nonrandom 
cipher, a nonrandom cipher would have T = 0. Note that the sets whose sizes appear 
in the above equation, both for random ciphers and their nonrandom reductions, are 
constructed only on the basis of the z-th ciphertext symbol y^, and not on the basis 
of the entire ciphertext sequence. Thus, the definition of T only gives the number 
of possible keys per symbol of ciphertext under known-plaintext attack, while the 
number of possible keys based on the entire ciphertext sequence (that is illustrated 
schematically by the overlap sets in Fig. 1) may be significantly less. In this sense, 
our definition has a restricted symbol by symbol scope but is easy to calculate with, 
similar to the independent particle approximation in many-body physics. It does not 
by itself determine the precise security of the cipher, but rather is the starting point 
of precise analysis, which is a difficult task just as correlations in interacting many- 
body systems are always difficult to deal with in a rigorous quantitative manner. 

It is possible to satisfy the random cipher condition (jSJ) with T = 0. This happens, 
e.g., when (j!3|) holds for some ciphertext symbols with T > but some others with 
T = 0, so the overall condition (JT3j) is only satisfied for T = 0. A different measure of 
randomization A, bearing directly on (jHJ), may be introduced which has the property 
that A = is equivalent to a nonrandom cipher. For the case where the ciphertext 
alphabet is finite and for given Xj, Z{ and r, let 

A = \{yi\yi = E l (x ir ■ ■ ,Xi;Zi;r') for somer'}| - \{yi\yi = E\x u ■ ■ ■ , x { ; Zi\ r)}\. 

(14) 

Thus, condition (jSJ) is equivalent to A > for some x i; Zi and r. It follows that A = 
for all (x^ z^ is equivalent to the cipher being nonrandom. A + 1 is the number of 
possible output signal symbols corresponding to a given input symbol and running 
key value. Thus, the parameter A measures directly the degree of per symbol cipher- 
text randomization, while T measures the per symbol key redundancy. It is possible 
that a T = random cipher is still useful due to the additional loads on Eve to 
record and store more information from her observation. On the other hand, for the 
typical case where Zj is in one-to-one correspondence with y^ for given Xj and r, V > 
implies A > for every Xj and z iy which in turn implies that a cipher with T > is 
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random in the sense of (jEJ). A simple application of the T and A characterizations 
to arj leads to information-theoretic lower bounds on the unicity distances uq and 
n\ for CTA and KPA, as discussed in Sec. 4.3. The following simple example also 
serves to illustrate the above definitions: 

Example (Random cipher) 

Let X = {0, 1}, /C = {k , ki, &2) &3, ^4} and y = {a, b, c, d, e}. Fig. 2 lists the possible 
ciphertexts for each plaintext and key pair. 



X 


k 


y 





h 


a, b 


1 




c, d, e 







c, d 


1 




e, a, b 





k 2 


e, a 


1 


k 2 


b, c, d 





h 


b, c 


1 


h 


d, e, a 







d, e 


1 




a, b, c 



Figure 2: Encryption table for a simple random cipher. 

For this cipher, one can easily verify that at least 2 key values connect every 
possible plaintext-ciphertext pair. In addition, every plaintext-key pair can lead to 
at least two different ciphertexts. In terms of the definitions given above, this cipher 
has T = 1 and A = 1. 



3 Quantum Random Ciphers 

The known and possible advantages of a random classical cipher over a nonran- 
dom one were discussed in the previous section. While it is possible to implement 
a random cipher classically using random numbers generated on Alice's side, this 
is not currently practical at high (~ Gbps) rates. As will become clear in the se- 
quel, the quantum encryption protocol arj (Various implementations are described 
in [3J [13 CHI UZ1 UHj - The protocol in [TH] is a variation on the original arj of 0) 
effectively implements a random cipher from Eve's point of view for a given choice 
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of her measurement, the difference from a classically random cipher being that it 
uses coherent-state quantum noise to perform the needed randomization. Before we 
describe ar], we define some concepts that capture the relevant features of a quantum 
random cipher. As emphasized in Section 2.2, we will confine our attention to stream 
ciphers. First, we straightforwardly extend the usual stream cipher to one where the 
ciphertext is a quantum state. Our motivation for this definition is that, from the 
point of view of the legitimate users Alice and Bob, ar] is a quantum stream cipher 
with negligible A in the sense given below: 

Definition (X-Quantum Stream Cipher (QSC)): 

A quantum stream cipher is a cipher for which the following two conditions are 
satisfied: 

A. The encryption map efe(-) takes the n-symbol plaintext sequence x ra to a quantum 
state n-sequence p in the n-fold tensor product form: 

p = e fc (x n ) = pi{xx] zi) <g> . . . <g> p n (xi, ...,x n ; z n ), (15) 

and 

B. Given the key k, there exists a measurement on the encrypted state sequence, 
that recovers each plaintext symbol Xi with probability Pd ec > 1 — A. 

Here, as in Section 2.2, (Zi, . . . , Z n ) is the keystream generated from the seed 
key K. A few comments will help clarify the definition. First, note that the tensor 
product form of the state in condition A retains for a quantum cipher the property of 
a classical cipher that one can generate the components in the n-sequence of states 
that constitute the output of a cipher one after the other in a time sequence. Note 
also that, analogous to a classical stream cipher, the i-th tensor component of p 
depends on just Z{ and (xi, . . . Condition B is the generalized counterpart of 
the decryption condition Eq.(J2J) for a classical cipher - we now allow a small enough 
decryption error probability. Thus, the per-symbol error probability is bounded 
above by A < 1. 

We now want to bring the concept of classical random cipher defined in the pre- 
vious section into the quantum setting. Our motivation in doing so is to show that, 
for an attacker making the same measurement on a mode-by-mode basis without 
knowledge of the key, ar] reduces to an equivalent T-Random Cipher with signifi- 
cantly large T. Since the output of a quantum cipher is a quantum state and not a 
random variable, we will need to specify a POVM {n yn } whose measurement result 
Y n supplies the classical ciphertext. Note that in this quantum situation different 
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choices of measurement may result in radically different kinds of ciphertext. Note 
also that the user's and the attacker's measurements may be different. Our definition 
of a quantum random stream cipher below will apply relative to a chosen ciphertext 
Y n defined by its associated POVM. We will also assume that, from the eavesdrop- 
per's viewpoint, the same measurement is made on each of the n components of the 
cipher output. In other words, the POVM defining the ciphertext Y n is a tensor 
product of identical POVMs {%}. 

Definition ((r, A, A', {%})- Quantum Random Stream Cipher (QRC)): 

An (r, A, A', {%}) - quantum random stream cipher is a A-quantum stream cipher 

such that for the ciphertext given by the result of the product POVM {Il y = 

A. one has an T-random stream cipher satisfying Eq.(|13|). and 

B. the probability of error per symbol P' dec using the key after measurement is P' dec > 
1-A'. 

Several comments are given to explain this definition: 

1. While condition QRC-B above appears similar to the condition QSC-B for a 
quantum stream cipher, there is a crucial difference. In the latter, the decryption 
probability Pd ec takes into account the possibility that the quantum measurement 
(as well as classical post-processing) made on the cipher state can depend on 
the key, i.e. it refers to Bob's rather than Eve's error probability. In QRC-B, 
we are considering the probability of error involved for Eve when she decrypts 
using a quantum measurement independent of the key followed by classical post- 
processing that is , in general, "collective" and depends on the key. Thus, the 
parameter A' is related to the symbol error probability under this latter restriction 
while the parameter A in QSC-B is tied to the symbol error probability for a 
quantum measurement allowed to depend on the key. We see that there are two 
measurements implicit in our definition of a QRC - one made by the user with 
the help of the key, and the other given by {%} made by the attacker without the 
key. See also Item 3 below. As we shall see, ar\ satisfies QRC-B with negligible 
A' under a heterodyne or phase measurement attack by Eve. 

2. T in QRC-A, as in Eq.(|13J). is a measure of the 'degree of intermixing' of the 
regions of ciphertext space corresponding to different key values on a symbol-by- 
symbol basis. If {n y } describes a discrete measurement, a A corrresponding to 
Eq. ffTH) can also be introduced. 
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3. Our stipulation that the same POVM be measured on each of the components 
of the cipher output is tantamount to restricting the attacker to identical mea- 
surements on each tensor component followed by collective processing. We will 
call such an attack a collective attack in this paper (also in [2 ). This definition 
is different from the usual collective attack in quantum cryptography ^H] : i n the 
latter, following the application of identical probes to each qubit/qumode, a joint 
quantum measurement on all the probes is allowed. In our case, there is no probe 
for Eve to set as we conceptually allow her a full copy of the quantum state. Doing 
so, we can upper bound her performance. (This is an important feature of our 
so-called KCQ approach to encryption and key generation. See [I] for discussion.) 
Thus, allowing a joint measurement, as also nonidentical measurements on each 
output component, will be called a joint attack. 

4. In analogy with the classical random cipher definition Eq. (|13|). one may won- 
der why the private randomizers Ri used in that definition are missing from that 
of the quantum random cipher. Indeed, one may randomize the quantum state 
Pi(xi, . . . ,Xi] Zi) to pi(xi, . . . ,Xf, Zi\ Ti) using a private random variable with prob- 
ability distribution p r ... However, since the value of Ri remains unknown to both 
user and attacker (Indeed, the user should not need to know Ri in order to de- 
crypt or even to encrypt in the case of arj), one sees that all probability distri- 
butions of Bob's or Eve's measurements in this situation are given by the state 
p' i {x 1 ,...,Xi,z i ) = J2 ri PnPi( x ii ■ ■ ■ -> x i\ z u r i), in which there is no explicit de- 
pendence on rj. In particular, we mention here that exactly such quantum state 
randomization, called Deliberate Signal Randomization (DSR), has been proposed 
in the context of arj in j3] for the purposes of enhancing the information-theoretic 
security of arj. 

5. It is important to observe that the definitions given above both for classical and 
quantum random ciphers are not arbitrary ones, but rather the mathematical 
characterizations of very typical situations involving randomization in classical 
and quantum cryptosystems. 

We present an example of a QRC in the next section: the arj cryptosystem. 

4 The arj cryptosystem 
4.1 Operation 

We now describe the arj system and its operation as a quantum cipher: 
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(1) Alice and Bob share a secret key K s . 

(2) Using a key expansion function ENC(.), e.g., a linear feedback shift register or 
AES in stream cipher mode, the seed key K s is expanded into a running key 
sequence that is chopped into n blocks: K Mn = ENC(K S ) = (Ki, . . . , K mn ). 
Here, m = log 2 (M), so that Zi = (fQj_i) m+ i, . . . , K im ) can take M values. The 
Zi constitute the keystream. 

(3) The encrypted state eK s (X n ) of Eq.([T5|)is defined as follows. For each bit X{ of 
the plaintext sequence X n = (X\, . . . ,X n ), Alice transmits the coherent state 

\1>(X i ,Z i )) = \ae»lx*&)). (16) 

Here, a e R and B{X h Zi) takes values in the set {0, vr/M, . . . , (2M - l)vr/M}. 
The function 9 taking the data bit and keystream symbol to the actual angle on 
the coherent state circle is called the mapper. In this paper, we choose 9(Xi, Zi) = 
[Zi/M + (Xi © Pol(Zi))]TT. Pol(Zi) = or 1 according to whether Z^ is even 
or odd. This distribution of possible states is shown in Fig. 2. Thus Ki can be 
thought of as choosing a 'basis' with the states representing bits and 1 as its 
end points. In general, one has the freedom to vary the mapper in various ways 
for practical reasons. See, e.g, [TT)] . 

(4) In order to decrypt, Bob runs an identical ENC function on his copy of the seed 
key. For each i, knowing Zi, he makes a quantum measurement to discriminate 
just the two states \ip(0,Zi)) and \ip(l,Zi)). 

To decrypt in step (4) above, Bob, in general would need a phase reference. This 
is effectively provided by the use of Differential Phase Shift Keyed (DPSK) signals in 
the implementations of at]. See [TSJEIlEl f° r details. Doing so does not compromise 
security as we still assume that Eve has a perfect copy of the transmitted state. 

If the line transmittance between Alice and Bob is rj, Bob receives a coherent 
state with energy rjS instead of S = |a| 2 . The optimal quantum measurement (221 
for Bob has error probability 

P e B ~^exp(-4^). (17) 

It is thus apparent that at] is a A-quantum cipher in the sense of Section 3 with 
A ~ jexp(—4r]S). For the S~4x 10 4 of [16j . over a distance of 80 km at a loss of 
0.2 dB/km, we have rjS ~ 10 3 photons. For this mesoscopic level, A is ~ exp(— 1000), 
which is completely negligible compared, say, to the standard acceptable BER limit 
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Figure 3: Left - Overall schematic of the arj encryption system. Right - Depiction 
of two of M bases with interleaved logical bit mappings. 



of 10~ 9 , which arises from device imperfections, for an uncoded optical on-off keyed 
line. 

Let us briefly indicate how this system may provide data security by considering 
an individual attack on each data bit Xj by Eve. Under such an attack, one only 
looks at the per-bit error probability ignoring correlations between the bits. Under 
this assumption, Eve, not knowing is faced with the problem of distinguishing 
the density operators p° and p 1 where 

Zi 

For a fixed signal energy S, Eve's optimal error probability is numerically seen to 
go asymptotically to 1/2 as the number of bases M — > oo (See Fig. 1 of [3]). The 
intuitive reason for this is that increasing M more closely interleaves the states on 
the circle representing bit and bit 1, making them less distinguishable. Therefore, 
at least under such individual attacks on each component qumode 1 of the cipher 

1 When referring to an optical field mode, we use the term qumode (for 'quantum mode', in 
analogy to 'qubit'). 
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output, arj offers any desired level of security determined by the relative values of 
S and M. While we are not concerned in this paper with key generation, it may 
be observed that unambiguous state determination (USD) attacks on arj are totally 
ineffective due to the large number of 2M states involved. 

In our security analysis, Eve is always assumed to be at the transmitter so that 
rj = 1 for her. Without knowing the key, however, her performance on the data is 
still poor as described in the above paragraph. Her attacks on the key are described 
in the following. We have assumed that the users can utilize the signal energy 
rjS to maintain a proper bit error rate without channel coding, despite possible 
interference from Eve. This does not place a stringent requirement on rj itself as 
one can typically go around 80 km in fiber before the signal needs to be amplified. 
In case Eve's interference is too strong and causes error, it would be detected in a 
message authentication code which always goes with encryption. There is clearly no 
need to do separate intrusion detection in this direct encryption case, but it turns 
out there is also no need in the key generation regime E] which we do not discuss 
in this paper. 

4.2 arj as a Random Cipher 

We showed in the previous subsection that arj may be operated in a regime of S, rj 
and M where it is a A-quantum cipher for A ~ 0. We now show, that from Eve's 
point of view, under both a heterodyne and phase measurement attack, arj appears 
effectively as a quantum random cipher according to the characterization of Section 
3. Note that the randomization in arj can also be effected in principle by using 
an additional classical random number generator. This is not required in arj as 
high-speed randomization is automatically provided by the coherent-state quantum 
noise. 

To see the quantum random cipher characteristic of arj, consider employing the 
following two measurements for obtaining {vr^} in the quantum random cipher defi- 
nition: 

1) (Heterodyne measurement) ir y = -\y){y\,y £ C. 

2) (Canonical Phase measurement) ir e = ^^'^ n r =Q e l ^ n ~ n ^\n)(n'\,9 £ [0,27r). 

To show that the conditions for a QRC are satisfied, let us first consider QRC-B. 
It may be shown that the error probabilities A' involved are respectively ~ \ e ~ S 
and ~ |e _25 for the heterodyne and phase measurements. 
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Turning to QRC-A, let us estimate the value of F under heterodyne and phase 
measurement. For a signal energy S, the heterodyne measurement is Gaussian dis- 
tributed around the transmitted amplitude with a standard deviation of 1/2 for each 
quadrature while the phase measurement has an approximately Lorentzian distribu- 
tion around the transmitted phase with standard deviation ~ l/y/S. If we assume 
that, given a certain transmitted amplitude/phase, the possible ciphertext values are 
uniformly distributed within a standard deviation on either side and ciphertext val- 
ues outside this range are not reached (this will be called the wedge approximation) , 
we get the following estimates Nhet and N p h aS e for the number of keystream values 
Zi covered by the quantum noise under heterodyne and phase measurements: 

N het = 2N phase = M/(ttVS). (19) 

If the value of the randomizer R is fixed (corresponding to rotation by a given 
angle within the wedge), Zi is fixed by the plaintext and ciphertext. Thus we have 
according to Eq. (|T3j) that 

T het = N het -l = M/{<kVS), (20) 

and that 

T phase = T het /2 = M/(2nVS). (21) 

As expected, the T's of both measurements increase as the number of bases M 
increases, and decrease with increasing signal energy S that corresponds to decreasing 
quantum noise. For example, using the experimental parameters in [IB] of S ~ 4x 10 4 
photons and M ~ 2 x 10 3 has Thet ~ 3. The A (cf. Eq. ()14j) characteristics of ar] will 
be considered in Sec. 5.2 in connection with the Nishioka group attack. The relevance 
of these parameters for security is considered in detail in the next subsection and in 
Sec. 5.2. 

4.3 arj: Information-theoretic and Complexity-Theoretic Se- 
curity 

Before discussing at] security, we comment that ar] direct encryption is often com- 
pared to BB84 key generation followed by the use of the generated key in either 
one-time pad or a standard cipher like AES. This is not an appropriate comparison 
because ar] already assumes that the users share a key. Perhaps the source of the 
confusion is that both ar] and BB84 involve the use of quantum states. In any case, 
the appropriate comparison would be between ar] and a standard cipher like one-time 
pad or AES - we do make such a comparison in the following. 
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We will consider in turn the information-theoretic (IT) and complexity-theoretic 
( CT) security of arj. In standard cryptography, no rigorous result is known about the 
quantitative security level of any cipher, save the one-time pad. Since arj includes 
a classical stream cipher ENC (See Fig. 1), we may in general expect a similarly 
murky state of affairs regarding its quantitative security. However, it will turn out 
that, under known-plaintext attacks, one can claim additional security from the 
physical coherent-state noise for a suitably modified at] with any cipher ENC, as 
compared to ENC alone. 

4.3.1 Information-theoretic (IT) Security: Qualitative discussion 

Considering first IT security, we discuss in turn qualitatively the cases of ciphertext- 
only, known-plaintext, and statistical attacks on the data as well as the key. Subse- 
quently, for the former two cases, we give lower bounds for the unicity distances n^ 
and n\ (See Appendix A for definitions). 

As mentioned in Appendix A, for a nondegenerate ENC box cipher, one can 
protect the key completely and attain data security up to the Shannon limit under 
CTA. If the same ENC box is used in an one may consider, as in Sec. 4.1, an 
attack in which Eve attacks each data bit using only the measurement result from 
the corresponding qumode. Although under such an assumption IT security obtains 
as MJ y/S — > oo, this attack is too restrictive since Eve does gain information on the 
key from each qumode measurement that could be useful in learning about other data 
bits as well. Such attacks utilizing key correlations across data bits may be launched 
against standard stream ciphers. Under the wedge approximation of Sec. 4.2, Eve 
is able to narrow her choice of basis down to T possible values. Even if T is large, 
the key security (and hence data security) is not as good as that of the ENC box 
alone for which case the keystream bits are completely random to Eve. However, one 
can still derive a unicity distance lower bound (See below). This defect of an may 
be removed by the use of Deliberate Signal Randomization (DSR) introduced in jl]. 
However, the concrete analysis of systems using various forms of DSR are still under 
progress. But see |2o] . 

Let us now consider the case of known-plaintext attacks on the key. As discussed 
in Appendix A, most nonrandom ciphers have a nondegeneracy distance at which 
the key is fixed under a known-plaintext attack. We also mentioned that for random 
ciphers, such a distance may not exist, so that it is unknown whether or not they 
possess IT security against KPAs. Since arj is random, the same remark applies to 
it. However, a finite unicity distance n\ may exist for at] and other random ciphers 
beyond which the key is fixed in a KPA. While rigorous analysis is difficult and is 
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so far limited to the unicity distance bound given below, we believe that such is the 
case for the original ar] with no modification, so that it has no IT security for large 
enough n. 

The statistical attacks fall between the above two extremes. Thus, there may exist 
a crossover point where ar] security becomes better than that of the ENC box alone as 
one moves from CTA towards KPA. However, no quantitative results, e.g., the unicity 
distance under STA, are known. To summarize, we believe that under all crypto- 
graphic attacks, ar] has no IT security for large enough n, i.e., lim^oo H(K\Y^) = 0. 
However, the use of ar] should extend the unicity distance beyond that of the cipher 
ENC used in it for some statistical attacks and for known-plaintext attacks. 



4.3.2 Information-Theoretic (IT) Security: Unicity Distance Lower Bounds 

Nonrigorous estimates of the unicity distance ri\ against KPA for standard stream 
ciphers are often made via a capacity argument in the so-called "correlation attacks" 
(See, e.g., |23j). The bound 

n > \K\/C, (22) 

where C is the capacity of Eve's effective channel, follows from the converse to the 
coding theorem j^j. The application of (|22|) to correlation attacks is nonrigorous 
because the assumption of independent noise in each bit is not valid. In the case of 
ar], rigorous lower bounds on n and ri\ can be obtained from because of the 
independent qumode to qumode coherent-state noise. Under the wedge approxima- 
tion to the noise distribution for evaluating Eve's capacity in (}2*2*|) . it may be shown 
[21] that for uniform data, the CTA unicity distance 

n > 'f' (23) 
^(a+i) 

and for KPA, 

ni > 'f' ■ (24) 



In terms of the experimental parameters of [To], this gives n > 550, n\ > 490. 
While these are much bigger than n ~ 120 bits for English, no precise practical 
conclusion can be drawn, both because they are just lower bounds and because the 
actual complexity of key determination as a function of n is not yet known. For 
the numbers above, the cryptosystem would be secure if the optimal complexity is 
exponential in n. 
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4.3.3 Complexity-theoretic (CT) Security 

Apart from IT security, the issue of complexity-theoretic (CT) security is of great 
practical importance. Indeed, in [2], we have argued that large enough search com- 
plexity security is as good as information-theoretic security in reality For standard 
ciphers, we have seen that there is no IT security beyond the nondegeneracy distance. 
Thus, standard ciphers rely for their security under KPA basically on the complexity 
of algorithms to find the key. We now compare the situation with that of arj. For any 
attack, the mere fact that H{K\Y%) = (for CTA and STA) or H(K\Y%X n ) = 
(for KPA) does not mean that the unique key can be readily obtained from Y^ (and 
X n in the case of KPA). For most ciphers, one needs to run an algorithm to obtain it. 
At worst, this algorithm can be a brute force search - one decrypts Y^ with all the 
2'^ possible keys until a valid plaintext is obtained. This search can easily be made 
prohibitive by choosing \K\ large enough - \K\ ~ 4000 used in experimental ar) ^1 
is already way beyond conceivable search capability. A better procedure that we call 
an assisted brute force search can exploit partial knowledge of the possible running 
key values for each bit as follows. Since each basis is specified by m = log 2 (M) bits 
of the running key, and the seed key is revealed by a |if |-bit sequence of the running 
key for an ENC box of Fig. 3 that is an LFSR with known connection polynomial, 
we obtain an assisted brute-force search complexity of 

C = r^ l/m . (25) 

For \K\ = 4400 used in C ~ 2 630 which is far beyond any conceivable search 
capability. While it is not known what Eve's optimal search complexity is, the 
advantage here is that this degree of randomization is achieved automatically by the 
coherent-state quantum noise at the ~ Gbps rate of operation of the system. Note 
also that it is not hard to increase M while maintaining the same data rate because 
the number of bits needed to select a basis on the circle scales logarithmically with 
M. 

In practice, heuristic algorithms based on the structure of the ENC cipher are used 
to speed up the search. The rigorous quantitative performance of these algorithms 
is unknown for standard ciphers. However, one may view arj as an "enhancer" of 
security by providing an additional 'physical encryption' on top of the standard 
'mathematical encryption' provided by the ENC box as follows. 

For the ENC of Fig. 3 used as a standard cipher, so that 

Yi = Xi © K h Ki = ENC(K S ), (26) 

let the unicity distance for KPA be n\ . Let us assume that there exists an algorithm 
ALG(F ni , X ni )) whose output is the seed key K s and that ALG has complexity C 
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when used with inputs of length ri\. In order to compare this complexity with that 
of ai], we assume that the same ENC is used in an arj system. However, since m 
bits of the keystream output of ENC are used to choose the basis for one data bit in 
ai], we first 'match' the data stream and keystream in ai] as follows. 

We expand the ENC output keystream by applying m deterministic m-bit to 
m-bit functions {fj}™ = i to each keystream symbol Zi to get a new keystream Z' as 
follows: 

Z' = ihiZ,), / m (Z0, fi(Z 2 ), • • • , f m (Z 2 ), ■ ■ •)• (27) 

We then use Z' instead of Z to choose the basis for each data bit. 

The above modification results in the i-th m-block of ciphertext Yu_u m ■ ■ ■ Y im 
being dependent only on Ku_i\ m ■ ■ ■ K im and Xu_i\ m ■ ■ ■ X im for both ENC and ai] 
with ENC. Under a KPA on ENC alone, using a known plaintext of length ni, 
K\. . . K ni is known exactly. For ENC augmented with arj in the described manner, 
it may happen that because of the randomization of Z[ ■ ■ ■ Z' ni , Ki . . . K m is not 
fixed by Y ni and X ni . In the latter case, we have IT security above that of ENC 
alone, even though such security may be lost for large enough n, as mentioned in the 
previous subsection. 

Let us assume that, at the nondegeneracy distance n\ of ENC, arj with ENC does 
not have IT security, so that i?(i^|X ni Y ni ) = 0. Assume also that n\ = ink. Even 
in such a case, it appears harder to implement the algorithm ALG that finds the key. 
As discussed in Section 2.2, the reason is that the randomization of the ciphertext 
Yi, for each i, leaves each Zi undetermined immediately after the measurement, even 
though, by our present assumption, only one possible seed key K can lead to the 
observed measurement results. If the number of possibilities for each Zi is I, Eve 
may need to run the algorithm ALG l k times resulting in a complexity of l n ±l m C 
versus C for ENC alone. Of course, there may exist a clever algorithm that enables 
her to do much better. All we claim here is that arj provides an additional but 
unquantified layer of security over that of the ENC box against KPA, both in the 
IT and CT senses. Thus, arj can be run on top of any standard cipher in use at 
present, e.g. AES (Advanced Encryption Standard), and provides an additional, 
qualitatively different layer of physical encryption security over AES under a known- 
plaintext attack. 

An interesting point is that, if the above level of CT security against known- 
plaintext attack is sufficiently high for some data length n, there is at least as much 
security against CTA for the same n. However, this comparison may not be practi- 
cally meaningful as a CTA can typically be launched for the entire sequence of data 
while usually only a much smaller segment of known-plaintext is available to the 
attacker. Typically, this would imply the attacks can be parallelized. On the other 
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hand, the situation is practically favorable with AES used in the ENC - see ref. |25j . 
where the immunity of arj against fast correlation attacks with and without DSR are 
also treated. 

4.4 Overview of arj Features 

We summarize the main known advantages and rigorous security claims regarding 
arj compared to previous ciphers: 

(1) For known-plaintext attacks on the key, arj using an LFSR has an additional 
brute force search complexity given by T^ K ^ m . When reconfigured as in Sec. 
4.3.3, it also has at least as much IT security as the ENC box alone for the same 
length n of data. 

(2) It may, when supplemented with further techniques have information-theoretic 
security against known-plaintext attacks that is not possible with nonrandom 
ciphers, and would also have maximal information-theoretic security against 
ciphertext-only attacks. 

(3) With added Deliberate Signal Randomization (DSR) 4j, it is expected to have 
improved information-theoretic security on the data far exceeding the Shannon 
limit. 

(4) It has high-speed private true randomization (from quantum noise that even 
Alice does not know), which is not possible otherwise with current or foreseeable 
technology. 

(5) It suffers no reduction in data rate compared to other known random ciphers, 
because Bob needs to resolve only two and not M possibilities (i.e, one data bit 
is transmitted per qumode). 

(6) It provides physical encryption, different from usual mathematical encryption, 
that forces the attacker to attack the optical line rather than simply the electronic 
bit output. 

5 Nishioka et al's criticisms of ar] 

In this section, we discuss the criticisms made by Nishioka et al |H| and respond to 
them. This section has some overlap with [20] (that was not published), but contains 
new material. 
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5.1 Claims in Nishioka et al [6] 

Nishioka et al claim that arj can be reduced to a classical non-random stream ci- 
pher under the attack that we now review. For each transmission i, Eve makes a 
heterodyne measurement on the state and collapses the outcomes to one of 2M pos- 
sible values. Thus, the outcome j G {0, • • • , 2M — 1} is obtained if the heterodyne 
result falls in the wedge for which the phase 9 G [0j — ir/2M,6j + n/2M], where 
6j = nj/M. Further, for q G {0, • • • , M — 1} representing the M possible values of 
each Zi, Nishioka et al construct a function Fj(q) with the property that, for each i, 
and the corresponding running key value actually used, 

F j u(Z i )=r i (28) 

with probability very close to 1. In fact, for the parameters S = 100 and M = 200, 
they calculate the probability that Eq.(J2J) fails to hold to be 10 -44 , which value they 
demonstrate to be negligible for any practical purpose. 

The authors of 6 J further claim that the above function F^i)(q) can always be 
represented as the XOR of two bit functions G^t){q) and L(<), where hn) depends 
only on the measurement result. Thus, they make the claim that the equation 

l j if i =r i @G j(A {Z i ) (29) 

holds with probability effectively equal to 1. They then observe that a classical 
additive stream cipher [Z| (which is non-random by definition) satisfies 

U = n © k h (30) 

where r^, li, and ki are respectively the ith plaintext bit, ciphertext bit and running 
key bit. Here, ki is obtained by using a seed key in a pseudo-random- number genera- 
tor to generate a longer running key. The authors of iHj then argue that since Im) in 
Eq.(Hnj), like the /, in Eq.(j30J), depends just on the measurement result, the validity 
of Eq. ()29j) proves that the security of Y-00 is equivalent to that of a classical stream 
cipher. In particular, they claim that by interpreting as the ciphertext, Y-00 is 
not a random cipher, i.e., it does not satisfy Eq.(jSJ of the next section. 

We analyze and respond to these claims and other statements in [0] in the fol- 
lowing section. 

5.2 Reply to claims in |6j 

To begin with, we believe that Eq. (J2J) (Eq. (14) in [6 ) is correct with the probability 
given by them. This content of this equation is simply that Eve is able to decrypt the 
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transmitted bit from her measurement data Jn and the key K s . In other words, it 
merely asserts that Eq.(j2J) holds for Yn = Jn- As such, it does not contradict, and is 
even necessary, for the claim that ar) is a random cipher for Eve. In fact, we already 
claimed in jl] and ^1] that such a condition holds. In this regard, note also that the 
statement in Section 4.1 of |6j that "informational secure key generation is impossible 
when ( Eq.(|2} of this paper) holds" is irrelevant, since direct encryption rather than 
key generation is being considered here. Furthermore, we have already pointed out 
|3 HI E] that the Shannon limit prevents key generation with the experimental 
parameters used so far, a point missed in jSHHHH]. See also [26J. 

We also agree with the claim of Nishioka et al that it is possible to find functions 
IjW and Gj(i)(q), the former depending only of the measurement result such that 
Eq. (|29|) holds, again with probability effectively equal to one. The error in jH] is 
to use this equation to claim, in analogy with Eq. (jSOJ), that ar] is reducible to a 
classical nonrandom stream cipher. 

To understand the error in their argument, note that, for Eq. ()30j) to represent 
an additive stream cipher, the U in that equation should be a function only of the 
measurement result, and ki should be a function only of the running key. While the 
former requirement is true also for the L(») in Eq. (|29|) . the latter is certainly false for 
the function G^){Zi) in Eq. (|25j). since it depends both on the measurement result 

and the running key Zj. Indeed, it can be seen that the definition of the function 
Fj(i)(Zi), and thus, Gj(i)(q) depends on the sets Cf^ and C~ (i) defined in Eq. (12) 
of 0. The identity of these sets in turn depends on the relative angle between the 
basis q and Eve's estimated basis j'W = jw mod M. Thus, it is clearly the case that 
Gj(i)(Zi) must depend both on j'W and Z i} a fact also revealed by the inclusion of 
the subscript j^ l > by the authors of |HJ in the notation for G. 

Notwithstanding the failure of Eq. ()29|) to conform to the requirements of a stream 
cipher representation Eq. (jHOJ), Nishioka et al reiterate that Y-00 is nonrandom be- 
cause 

H(L N \R N ,K s ) = (31) 

holds, where Ln = ■ ■ ■ , (j-w). This equation follows from Eq. (J2HJ) and so 

by considering = to be the ciphertext, the Eq.© is not satisfied, thus 
supposedly making Y-00 nonrandom. The choice of as the ciphertext is supported 
by the statement in [H] that "It is a matter of preference what we should refer to 
as "ciphertext"." This is indeed true, especially considering that there are different 
possible quantum measurements that may be made on the quantum state in Eve's 
possession, each giving rise to a different ciphertext. This point is also highlighted 
by our definition of a qauntum random cipher. However, if one wants to claim 
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equivalence to a non-random cipher for some particular choice of ciphertext Y^r, 
one must show that Eq. (10) is violated and that Eq. (11) is satisfied using the 
chosen ciphertext in both equations. In other words, no equivalence to any kind of 
cipher is shown unless one can also decrypt with the chosen ciphertext and key alone. 
However, one may readily see that, taking Y N = L N , Eq. © is not satisfied, i.e., 
ff(R/v|Ljv, K s ) 7^ 0. The reason is that, as we noted from our analysis above of 
the function Gj(i)(q), decrypting requires knowledge of certain ranges in which the 

angle between the basis chosen by the running key and the estimated basis j'W falls. 
To convey this information for every possible one needs at least log 2 (2M) bits. 
It follows that the single bit lj<$ is insufficient for the purpose of decryption, and 
so Eq. (0) cannot be satisfied for Y N = Ljv- Therefore, we conclude, that in the 
interpretation of L^v as the ciphertext, decryption is not possible even if Eve has the 
key K s . Indeed, it is J^v that can be regarded as a possible ciphertext, since Eq. © 
is satisfied for Y^v = Jjv- However, with this choice of ciphertext, Y-00 necessarily 
becomes a random cipher, because H(S N \R N) K s ) ^ 0, a fact admitted by Nishioka 
et al in 

We hope that the discussion above makes it clear that the 'reduction' of ar\ 
in jB] to a non-random cipher is false, and that in fact, no such reduction can be 
made under the heterodyne attack considered in [Sj. Indeed, as detailed in previous 
sections, the representation of ciphertext by Yat = Jn does reduce it to a random 
cipher under the heterodyne attack. Its quantitative random cipher characteristics, 
namely T of Eq. (JT3j) and A of Eq. (JHJ), are as follows, for various definitions of 
"ciphertext" adopted. 

If the full continuous observation on the circle is taken as the ciphertext, then (J2(J|) 
shows that T ~ 3 for typical experimental parameters. If the ciphertext alphabet 
is digitized and taken to be the 2M arc segments around the 2M states on the 
circle, then arj has, for any (xj, Zi, r), A + 1 = 2(r + 1) where T is given by (|20p. If 
one attempts to 'de-randomize' the ciphertext by clubbing together the possibilities, 
T would increase while A would decrease. In the nonrandom limit where a fixed 
half-circle observation is taken to represent each bit value, which is the nonrandom 
reduction discussed in |14j . T would increase from that of Eq. (J2U)) to M, making 
attacks on the key completely impossible. On the other hand, while A = for a 
binary ciphertext alphabet, the 2M-outcome ciphertext would lead, from Eq. (|20p. 
to an error probability per ciphertext bit for Eve [Ti] : 

P b E ~ 2/iry/S. (32) 

Eq. (|32|) is obtained in the wedge approximation on a per qumode basis for Eve, 
under the assumption that the state is uniformly distributed on the circle which is 
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satisfied for uniform data and an LFSR for the ENC box of Fig. 3. It leads to 0. 1 — 1% 
error rate for Eve on the ciphertext (not data [2Zj) for the experimental parameters 
of [SI EE] • As a consequence, the data security will far exceed the Shannon limit (J2J) 
because she would make many errors even when the correct key is given to her for 
decryption. For any other ciphertext alphabet division of the circle, it is clear that 
A > for any z\ and x n from the same randomization for states near the ciphertext 
alphabet boundaries on the circle. 

In sum, there can be no nonrandom reduction of oerj. If the ciphertext alphabet is 
chosen to make at] nonrandom, then known-plaintext attack on the key is impossible 
and the ciphertext itself would be obtained with significant noise. 

We conclude this section by responding to some other statements made in j^j. 

In Section 3.3, Nishioka et al claim that "The value of l^i) does not have to be 
the same as that of l^i) when i ^ i', even if jd) = f) 

holds." This statement is 

in direct contradiction to their previous statement in the same subsection that u lj{t) 
depends only on the measurement value j'W". 

In the same subsection, Nishioka et al claim that "In (|Ej), we showed another 
concrete construction of ..." . We could find no explicit construction of in that 
paper. We were led to the choice of U described in [Hj by the attempt to make the 
stream cipher representation Eq. (j3*U|) valid. In fact, such a representation is claimed 
by Nishioka et al in their Case 2 of 0. It turned out, however, that decryption 
using that k suffered a 0.1 — 1% error depending on the value of S used as noted 
above. See ^3] for further details. While it was later claimed that they have a 
different reduction in mind jH], the reduction in ^3] is the only one that makes at] 
nonrandom (but in noise). In any case, as we have shown above, no construction 
of a single-bit from the heterodyne or phase measurement results can satisfy Eq.(|2*|) 
with the extremely low probability given in 
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Appendix A — Security under Statistical and Known- 
Plaintext Attacks 



In this appendix, we summarize some relevant terminology and results from ref. 
[2] on the key security of a random cipher. We first present an overview of the 
various possible cryptographic attacks possible on a cipher and some early results 
on the subject. We also present our result on the security of a nonrandom cipher 
under known-plaintext attacks. In the process, we define the important term 'unicity 
distance' coined by Shannon and broaden it to include the notion of 'unicity distance 
under known-plaintext attack' for both random and nonrandom ciphers. We also 
define the important concept of 'nondegeneracy' for both random and nonrandom 
ciphers that is needed to make the concept of unicity distance meaningful. Finally, we 
discuss how random ciphers may enhance security against known-plaintext attacks. 

The following terminology in regard to cryptographic attacks has bee used in this 
paper, as in [2]. This terminology is not standard, however. In the cryptography 
literature, what we call statistical attacks are sometimes referred to as ciphertext-only 
attacks (See, e.g., [Zj, Ch. 2) but are also often lumped together with known-plaintext 
attacks. 

By a ciphertext-only attack (CTA), we refer to the case where the probability 
distribution p(X n ) is completely uniform, i.e., p(X n ) = 2~ n to Eve, so that her 
attack cannot exploit input frequencies or correlations and must be based only on 
the ciphertext in her possession. By a statistical attack ( STA ), we refer to the case 
where the probability distribution p(X n ) is nonuniform, so that Eve may in principle 
exploit input frequencies or correlations to launch a better attack. Such an attack is 
typical when the plaintext is in a language such as English. It is also the attack that 
obtains when the {Aj} are independent and identically distributed (i.i.d.) but each 
p(Xi) is nonuniform. By a known-plaintext attack (KPA) we mean the case where 
Eve knows exactly some length m of plaintext x m . Finally, by a chosen-plaintext 
attack ( CPA ), we mean a KPA where the data x m is chosen by Eve. 

In standard cryptography, one typically does not worry about ciphertext-only 
attack on nonrandom ciphers. The reason is that, under CTA, Eq. ((Zj) is satisfied 
with equality for large n for the designed key length \K\ = H(K) under a certain 
'nondegeneracy' condition [T2] that is readily satisfied. Thus, in practice, the data 
security is assumed to be sufficient if H(K) is chosen large enough by adjusting the 
key length. In this paper, we would essentially make the same assumption and, with 
few exceptions, do not discuss data security per se. However, it follows from ((7j) that 
no meaningful lower bound on if (X n |Y n ) exists for n 3> \K\. A new fundamental 
treatment of data security in symmetric-key ciphers has to be developed separately. 
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Under CTA, it is also the case for nonrandom nondegenerate ciphers that jl2j 



H{K\Y n ) = H{K) 



(33) 



i.e., the key is statistically independent of the ciphertext. Thus, no attack better 
than pure guessing can be launched on the key. 

The above two results do not hold for statistical and known-plaintext attacks. Eve 
can indeed launch an attack on the key and use her resulting information on the key 
to get at future and past data. In fact, it is such attacks that are the focus of concern 
for standard ciphers such as the Advanced Encryption Standard (AES). For STAs, 
Shannon [Bj characterized the security by the so-called unicity distance. The unicity 
distance n$ of a cipher is the smallest input data length for which H(K\Y no ) = 0. 
In other words, if a plaintext sequence of length no is encrypted by the cipher, the 
ciphertext contains enough information to fix the key (and hence, the plaintext) 
uniquely - the cipher has no information-theoretic security. For nonrandom ciphers 
defined by Eq. (0J), Shannon, in |2], derived in terms of the data entropy an estimate 
on uq that is independent of the cipher. This estimate is actually not a rigorous 
bound. Indeed, it can be shown that one of the inequalities used in the derivation 
goes in the wrong direction. Even so, the estimate works well empirically for English 
language plaintexts, for which n ~ 25 characters are found to be sufficient to break 
many ciphers. 

We now consider, in some detail, security against known-plaintext attacks. Here, 
a natural quantity to consider is H(K\X n Y n ), since it provides a measure of key 
uncertainty when both plaintext and ciphertext are known to the attacker. Before 
we state the main result, we define the notion of nondegeneracy distance. The reader 
can readily convince himself that a finite unicity distance exists only if, for some n, 
there is no redundant key use in the cryptosystem, i.e., no plaintext sequence x n is 
mapped to the same ciphertext y n by more than one key value. With redundant 
key use, one cannot pin down the key but it seems that this may not enhance the 
system security either, and so is merely wasteful. The exact possibilities will be 
analyzed elsewhere. For now, we call a cipher nondegenerate in this paper if it has 
no redundant key use for some finite n or for n — > oo. Under the condition 



which is similar but not identical to the definition of a 'nondegenerate' cipher given 
in one may show that, when Eq. (0J) also holds, one has 



n 




(34) 



lim H{K\X n ,Y,, 



n 



) = o, 



(35) 



71. 



OO 
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so that the system is asymptotically broken under a known-plaintext attack. More 
generally, for a nonrandom cipher, we define a nondegeneracy distance to be the 
smallest n such that 

#(Y n |X„) = H{K) (36) 

holds, with n d = oo if ()34|) holds and there is no finite n satisfying (j3EJ). Thus, a 
nonrandom cipher is nondegenerate in our sense if it has a nondegeneracy distance, 
finite or infinite. In general, of course, the cipher may be degenerate, i.e., it has no 
nondegeneracy distance. We can readily show (see Appendix A of [2]) that, under 
known-plaintext attack, a nonrandom nondegenerate cipher is broken at data length 
n = nd, in the sense that 

H(K\X nd Y nd ) = 0. (37) 

More generally, for both random and nonrandom ciphers, we define the unicity 
distance under known-plaintext attacks, denoted by n±, to be the smallest integer 
such that 

H(K\X ni Y m ) = 0. (38) 

If no such integer exists, the unicity distance under KPA is taken to be infinite if 
lim^oo H(K\X n Y n ) = 0. Thus, n± is the minimum length of data needed to break 
the cipher for any possible known-plaintext X n . For a nonrandom cipher, it is equal 
to the nondegeneracy distance. 

Many ciphers including the one-time pad and LFSRs (linear feedback shift reg- 
isters [7j) have finite n^. Similar to the case of for nonrandom ciphers, n\ for 
a random cipher may not always exist. For our definition of n\ to make sense for 
random ciphers, we will impose a 'nondegeneracy' restriction on random ciphers: A 
random cipher is said to be nondegenerate if and only if each nonrandom cipher 
resulting from an assignment R = r of the randomizer is nondegenerate. Then we 
say it has information-theoretic security against known-plaintext attacks if 

inf#(K|X n ,Y n )^0, (39) 

n 

i.e., if iJ(i^|X n , Y n ) cannot be made arbitrarily small whatever n is. In other words, 
ni does not exist. The actual level of the information-theoretic security is quantified 
by the left side of (|39|). One major motivation to study random ciphers is the 
possibility that they possess such information-theoretic security. Some discussion on 
this point is also available in Appendix A of [2]. 

Even in the absence of information-theoretic security, nondegenerate random ci- 
phers can be expected (see the discussion in Section 2.2) to have larger unicity 
distance ni under KPA compared to the case where the randomization is turned 
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off. This would, as assumed in cryptography practice, increase the complexity of 
attacking the key significantly. If Eq. (J37|) holds when X n is replaced by a specific 
x n , n defines the unicity distance corresponding to x„. The overall unicity distance 
under KPA may be defined by 

fi\ = min n for some x n . (40) 

H(/C|X n =x n ,Y n )=0 

The above result has not been given in the literature, perhaps because H(K\'X. n Y n ) 
has not been used previously to characterize known-plaintext attacks. Nevertheless, 
it is assumed to be true in cryptography practice that K would be pinned down for 
sufficiently long n in a nonrandom 'nondegenerate' cipher. 

We now discuss the advantages that a random cipher provides as compared to 
nonrandom ciphers. For the case of STA on the key when the plaintext X n has 
nonuniform but i.i.d. statistics, the so-called homophonic substitution method pro- 
vides complete information-theoretic security, i.e. H(K\Y n ) = H(K) ^2]- The 
original form of homophonic substitution involves assigning to each plaintext symbol 
a number of possible sequences of length I proportional to its a priori probability in 
such a way that all possible /-sequences are covered. Then, for every input symbol, 
if one of its assigned /-sequences is generated at random, the net effect is to gener- 
ate /-sequences of plaintext with i.i.d. uniform statistics. These sequences may be 
passed through a non-degenerate cipher without revealing information on the key 
as per Eq. ()33|) . To put it another way, a statistical attack has been converted to 
a ciphertext-only attack. A generalized homophonic substitution that allows each 
symbol to be coded into sequences of variable length is discussed in [T2], for which 
it is shown that sometimes data compression instead of data expansion results. 

Unfortunately, this reduction of a STA to a CTA does not work for known- 
plaintext attacks. However, we emphasize that there is no result on random ciphers 
analogous to Eq. ([371 ) with n d replaced by any definite n depending on the cipher, 
since under randomization, Eq. (|1J), and usually (pffij) also, does not hold for any 
n. Indeed, an inspection of the defining equation Eq. (|T3*j) for a random cipher (or 
Fig. 1) suggests how a random cipher may provide greater security against KPAs. 
For a given plaintext-ciphertext sequence pair, Eq. (fT3j) suggests that one has some 
residual uncertainty on the value of the keystream (Z 1; . . . , Z n ), which does not exist 
for a corresponding nonrandom cipher. On the other hand, Eq. (|13j) refers only to the 
per-symbol uncertainty of the key stream calculated without regard to the ciphertext 
observed for the other symbols in the sequence. When such correlations are taken 
into account, the uncertainty on the keystream may be drastically reduced and we 
can give no general quantitative assertions of information-theoretic security. Note, 
however, that due to the randomization, the unicity distance n\ of a random cipher 
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under known-plaintext attacks can be expected to be bigger than that of any of its 
nonrandom reductions. Thus, the complexity-based security would be greater. 

In fact, the general problem of attacking a random cipher has received limited 
attention because they are not used in practice due to the associated reduction in 
effective bandwidth or data rate as is evident in homophonic substitution, due to the 
need for high speed random number generation, and also due to the uncertainty on 
the actual input statistics needed for, e.g., homophonic substitution randomization. 
Thus, the rigorous quantitative security of symmetric-key random ciphers against 
known-plaintext attacks is not known theoretically or empirically, although in prin- 
ciple random ciphers have actual and potential advantages just discussed. 
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increased to the level of the original data rate by DSR. This involves moving 
the state to the basis boundary with Bob utilizing a different matching quan- 
tum measurement. For the case of key generation with uniform data, the output 
state is still uniformly distributed on the circle on a per-qumode basis to Eve. 
However, Bob's optimal performance has not been characterized with DSR. A 
detailed discussion of ar\ key generation will be presented later. We may ob- 
serve that the use of DSR in direct encrypion would necessitate the use of an 
error-correcting mechanism in contrast with the original at], and would break 
the Shannon limit (12). The significance and practicality of such variations of 
ar) have been briefly mentioned in and will be treated elsewhere. 
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